[原文]ATutor 1.4.1 through 1.5.1-pl1 allows remote attackers to execute arbitrary PHP functions via a direct request to forum.inc.php with a modified addslashes parameter with either the (1) asc or (2) desc parameters set, possibly due to an eval injection vulnerability.
ATutor contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'forum.inc.php' not properly sanitizing user input supplied to the 'addslashes', 'asc' and 'desc' variables. This may allow a remote attacker to execute arbitrary shell commands resulting in a loss of integrity.
Upgrade to version 1.5.2 or higher, as it has been reported to fix this vulnerability. In addition, ATutor has released a patch for some older versions.